AD RMS Firewall Considerations

Updated: January 14, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

The Microsoft Windows Firewall is a host-based firewall application that is installed and turned on by default in Windows Server 2008. If you want to use the functionality of the Windows Firewall within your Active Directory Rights Management Services (AD RMS) infrastructure, you must create a few firewall exceptions.

Note

This topic only discusses the firewall exceptions that are specific to AD RMS. Sometimes additional exceptions need to be made for other applications.

The following table shows the port exceptions that should be made on each AD RMS server in the cluster. It is not necessary to open both ports at the same time. For HTTP transmission, you should only open TCP port 80. If your AD RMS environment is using Secure Sockets Layer (SSL) or HTTPS, you should only open TCP port 443. The default port for SSL is TCP port 443. If your organization is using a port number for SSL other than the default, you should use that port instead.

Note

When AD RMS is installed, the appropriate exception described in the following table is created and enabled automatically.

Port Exception

Description

TCP 80

HTTP

TCP 443

HTTPS or SSL communication

If there is more than one server in the AD RMS cluster, or the AD RMS database server is not on the AD RMS in a single-server deployment, the following port exceptions should be created on the database server that is hosting the AD RMS databases. This table assumes that you are using Microsoft SQL Server 2005 or later.

Port Exception

Description

TCP 445

SQL Server Named Pipes (used for provisioning the AD RMS server)

TCP 1433

Default Microsoft SQL Server listening port

UDP 1434

Microsoft SQL Server Browser Service

Important

It is important to remember the following:

Enable remote connections for each instance of SQL Server that you want to connect to from a remote computer.

Enable the SQL Server Browser service.

If you are running the Windows firewall on the computer that is running SQL Server, external connections to SQL Server may be blocked unless SQL Server and the SQL Server Browser service can communicate through the firewall. This can be done by creating exceptions for SQL Server and the SQL Server Browser service in the Windows firewall.

The AD RMS cluster must be able to communicate with an Active Directory Global Catalog server. The following port exception should be enabled on the Active Directory Global Catalog server to enable the AD RMS cluster to communicate with it.

Port Exception

Description

TCP 3268

Global Catalog Server port

In addition to creating these port exceptions, special considerations should be taken when configuring the firewall scope. Unless your AD RMS environment is used in an extranet scenario, you should restrict all traffic to your organization's network. If your AD RMS environment needs to be available to client computers outside of your organization's network, you should allow any computer on the Internet to connect to only TCP port 443 or TCP port 80.

Caution

In an AD RMS environment, TCP port 445 is used to provision an AD RMS server, but this port is also the file sharing port for all computers that are running Microsoft Windows 2000 or later. Unless you have a specific need for other computers on your network to have access to this port, you should restrict the scope so that only the AD RMS cluster has access to TCP port 445 on the AD RMS database server.